Can developers ask my Envato private token in order to download theme update?

I am using the Envato platform for several years. My latest purchase is a popular wordpress theme. Everything seemed ok more or less but then I found something alarming.

In order to update the theme the developer requires to create and enter an Envato API token (in which they probable have access). The developer strictly requests amongst other permissions to enable “Download your purchased items”. That means that the developer can use this token to download every item I have bought from your platform (and I have many).

I have bought many templates from your platform and on every single one the purchase code of the item was enough in order to download updates.

Are you aware of this?
Is this compliant with your platform policies?
Why should I give access to all of my purchases to a developer in order to update a specific template?

Hi @mistrig,

Yes, this is how the API was designed.

There are two authentication mechanisms for the API:

  • a personal token which grants the holder permission to make API calls on the creator’s behalf
  • an OAuth flow, which allows an author to request specific permissions from a buyer

Theme/plugin authors are free to use whichever of those permissions they like to implement their functionality. What you describe is the first one (a personal token), and unfortunately using that mechanism, permissions must be granted on an all-or-none basis; personal token permissions are not granular enough to control access to specific items.

The OAuth flow is better in this case, as it only permits the caller (author) to download items they know the purchase code for, and they’re only able to see the purchase codes for their own items that you’ve purchased. However, this mechanism does require extra effort on the part of the author, and many authors only implement personal token API access.

We’re aware that this isn’t perfect, but we don’t have another solution at the moment. Granting permissions on a per-item basis is not feasible. I’ll make sure your feedback gets to our product team for consideration.

In the meantime, you can decline to give your token the download permission (or any other permissions, for that matter). Items will generally require some specific permissions to perform their purchase verification steps, and another set to perform automatic updates. You can manually update the item in this case.

3 Likes

Hello @rosssimpson

Thank you for your reply. I didn’t expect the requirement of those permissions to be a normal procedure. Manual update is an option but still I do buy premium templates to avoid these kind of inconveniences. I can understand you cannot force authors to use exclusively oath for auto update but I do recommend to distinguish in some way the templates that require these kind of permissions.

I hope these comments will be helpful.

Best Regards

1 Like